The threat actor behind the BlackRock and ERMAC Android banking trojans has uncovered yet another malware for rent called Hook which introduces new capabilities to access files that are stored in the devices and create a remote interactive session.
Hook as a novel ERMAC fork which is advertised for sale for $7,000 per month while featuring all the capabilities of its predecessor.
Remote Access Tooling (RAT) capabilities which joins ranks of families such as Octo and Hydra are capable of performing a full Device Take Over (DTO) and also complete a full fraud chain from PII exfiltration to transaction with help of all the intermediate steps that too without the need of additional channels.
The Dutch cybersecurity firm said that racterized Hook as a novel ERMAC fork advertised for sale for $7,000 per month while it advertise all the capable financial apps which are targeted by the malware which is located in the U.S., Spain, Australia, Poland, Canada, Turkey, the U.K., France, Italy, and Portugal.
Hook is the handiwork of a threat actor which is known as DukeEugene and represents the latest evolution of ERMAC .
ERMAC was always behind Hydra and Octo in terms of capabilities and features.
Among the other major features which are added to Hook is the ability to remotely view and interact with the screen of the infected device and to obtain files, extract data from crypto wallets, and track the user’s phone’s location and led to banking malware.
Hook artifacts observed so far in a testing phase but it also noted it could be delivered through campaigns, Telegram channels or could be in the form of Google Play Store dropper apps.
The main drawback of creating a new malware is usually gaining enough trust by other people but with the status of DukeEugene ., It is very likely that this will not be an issue for Hook.